After upgrade to 2008 (CertEnroll) Stand-alone CA, web browing certs work on XP, not 7
Posted on 2011-03-07
I am managing a web application that uses digital certificates to identify end-users over the internet for access to the app. We were using Server 2003 R2 x86, but got tired of installing certs manually for Windows 7.
Having a few extra licenses of Server available, I cloned the existing app server (which is the CA too), changed its product key, and upgraded that to 2008 x32 (R2 only x64 :( ). After sorting out some minor problems (including having to publish a new CRL), I can get XP clients to work normally. However, 7 clients using the same web enrollment get the root and client certificates but cannot access the site. Error is "page requires client certificate (403.7)".
The root and client certificates are there, but the key usage on the client cert is only "Key Encipherment (20)". On XP clients, the key usage is "Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)".
Any guidance would be appreciated! Thanks, Tom.